I'm asking, with genuine interest and a listening ear, what is the best
long term

solution you envision, to solve the larger problem?

Apparently the long term solution is for third-party apps to point blame at
Microsoft, and for Microsoft to point blame at third-party apps. They are
both right except in absolving themselves.

To start with this problem does not exist under IE6, regardless of
third-party protocol handler vulnerability. So the question is, why did it
open up after installing IE7? This portion is for Microsoft to address -
either it is a required consequence of new functionality that they should
reconsider, or it is a mistake that they should fix.

The individual third-party applications also need to sanitize their input of
course.